03/24/2015

Employee Privacy and Employer Liability: The BYOD Dilemma

by ZixCorp

You may remember this blog and an expert panel webinar I hosted in January. Since then, I have received several requests to give my own opinion* on how to best ensure employee personal privacy and to minimize any potential employer liability issues associated with enabling BYOD in the workplace.

Let’s recap the July 2014 US Supreme Court ruling on smartphone privacy, Riley v. California. The ruling was unanimous – all nine Justices in favor – therefore this decision is not going to be overturned during my lifetime. Chief Justice John Roberts wrote that smartphones “differ in both a quantitative and a qualitative sense from other objects…………..[m]odern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”

More than a dozen states now have laws that prohibit employers from accessing their employees' (and candidates) social media accounts. Personally owned mobile devices contain or enable access to vastly more of an employee’s private data. My opinion is that, in due course, all private, personal data stored in mobile devices – including BYOD and company-provided devices – will be protected from intrusion by the government, the employer and other unauthorized parties. Not only will this mean that employers will need to ensure that it is impossible for IT staff or others to access other employees’ private data, but employers will not be allowed to erase that private data without the voluntary, fully-informed consent of the employee. In many situations this may render today’s remote wipe consents illegal.

One of the several things I learned from the January webinar is that requiring an employee to sign a multi-page policy document in order to use a mobile device for work purposes may not result in the voluntary, fully-informed consent of the employee. This is because the relationship between employer and employee is not one of parties in an equal bargaining position; it is an asymmetrical relationship. Thus, a court could determine that an employee was effectively coerced to sign the remote wipe policy in order to use a device that is, for all practical purposes, required for employment.

As mobile device privacy laws evolve, MDM and containerized solutions will need to change radically. Firstly, MDM solutions have the capability to snoop into the types of personal apps the employee installs on his or her device, and possibly even their personal content within those apps. The fact that your IT staff claim they never do it, or your policy prohibits it, will not hold water: How do you prove in court that nobody actually snooped or that an employment-related decision was not influenced by employee personal data that is accessible by the employer? Secondly, how do you keep your remote wipe from erasing the employee’s protected personal information? It’s not realistic to expect employees to segregate their personal data into a tidy little container on their device, maintained entirely separate from their work lives.

It may be that the folks developing enterprise mobility management suites will, in time, come up with solutions to these headaches, but I prefer a solution that already avoids all these problems. That is the secure viewer solution, the one where no corporate data is ever stored on the BYOD device and where it is impossible for the employer to snoop into personal data. What’s more, the solution addresses the majority of concerns expressed by participants in this survey conducted for Zix.